[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Damian Menscher damian at google.com
Sun Sep 4 04:07:25 UTC 2016

On Sat, Sep 3, 2016 at 8:23 PM, Roland Dobbins <rdobbins at arbor.net> wrote:

> On 4 Sep 2016, at 8:42, Damian Menscher wrote:
> At that point the attacker could just hit the victim
>> directly.
> That's the whole point of reflection - to do so *indirectly*, heh.

To what end?  If they want to obfuscate the source IP, why not simply spoof
the source IPs in a direct attack?  I maintain that amplification is key --
reflection is just a means to an end.  (Reflection potentially makes
traceback slightly harder, but it's hard to imagine any attacker caring
about that.)

RRL applied at authoritative servers doesn't accomplish anything -- all
>> amplification attacks reflect off recursive resolvers, not authoritative
>> servers.
> Actually, quite a bit of DNS reflection/amplification is direct from the
> initiators to the reflectors/amplifiers (in this case, the authoritative
> servers).  There are essentially two variants of DNS
> reflection/amplification - one involving a tier of open recursors, the
> other not utilizing them.
> RRL on the authoritatives being used helps in either scenario.

No.  Most attacks amplify off recursive resolvers, and those do a single
authoritative lookup which they then cache for its TTL.  RRL does nothing
to help in this case.

I understand that RRL can help in the case of amplification directly off
authoritative servers, but I've never seen an attacker do that (or perhaps
just didn't notice).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160903/271f2afb/attachment.html>

More information about the dns-operations mailing list